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In recent years, several hacking attacks have broken the security of quantum cryptography implementations by 
exploiting the presence of losses and the ability of the eavesdropper to tune detection efficiencies. We present a 
simple attack of this form that applies to any protocol in which the key is constructed from the results of untrusted 
measurements performed on particles coming from an insecure source or channel. Because of its generality, the 
attack applies to a large class of protocols, from standard prepare-and-measure to device-independent schemes. 
Our attack gives bounds on the critical detection efficiencies necessary for secure quantum distribution, which 
show that the implementation of most partly device independent solutions is, from the point of view of detection 
efficiency, almost as demanding as fully device-independent ones. We also show how our attack implies the 
existence of a form of bound randomness, namely non-local correlations in which a non-signalling eavesdropper 
can find out a posteriori the result of any implemented measurement. 


Over the past few decades the problem of bridging the gap 
between realistic implementation of Quantum Key Distribu¬ 
tion (QKD) protocols and their theoretical security proofs has 
attracted a lot of attention. The security of standard QKD pro¬ 
tocols 01 relies on a very detailed modeling of the preparing 
and measuring devices. However, unavoidable imperfections 
of the devices or unnoticed failures lead in practice to devia¬ 
tions from the model used to prove security - deviations that 
can be taken advantage of by a potential eavesdropper. In¬ 
deed, standard QKD protocols, being dependent on the accu¬ 
racy with which the devices are described, can typically suffer 
attacks, for instance on the detectors 0], 

To overcome these problems a new paradigm was proposed, 
adopting the device-independent (DI) framework |4{]: In this 
scenario no assumptions are made either on the source of the 
shared system or on the internal working of the devices, which 
are treated like “black boxes”. In this context the only ob¬ 
ject one relies on is the statistics of inputs and outputs, and 
the security of a device-independent quantum key distribu¬ 
tion (DIQKD) protocol is guaranteed by the nonlocal char¬ 
acter of these statistics 0. The DI scenario allows for the 
most general and powerful quantum certification protocols as 
it depends on very few assumptions. Nevertheless, their im¬ 
plementations are demanding because they require very high 
detection efficiencies to close the detection loophole (e.g. with 
photonic implementations fli). 

In order to make the experimental implementations less 
demanding other scenarios between standard and fully DI 
QKD have been introduced. In these intermediate scenar¬ 
ios the parties involved add some extra assumptions to the 
fully-DI scheme. The focus is still on the input/output statis¬ 
tics but with an intermediate level of trust between the fully- 
DI framework and the device-dependent one. For instance, 
semi-device-independent (SDI) protocols have been proposed 
where one makes an assumption on the dimension of the in¬ 
volved quantum systems but, apart from this assumption, the 
devices are still uncharacterized & From an implementa¬ 
tion point of view, the advantage of SDI protocols is that 
they do not require entanglement and can be implemented 


in a prepare-and-measure configuration. Another class of in¬ 
termediate scenario, known as one-sided device-independent 
(1SDI) HE, is based upon quantum steering ll ill which 
consists of a bipartite scenario in which one of the parties 
trusts his measuring devices but the other does not. 

All these different QKD solutions are based on differ¬ 
ent assumptions and, thus, offer different levels of secu¬ 
rity. Although different QKD protocols use different strate¬ 
gies, most of them share the property that the key is con¬ 
structed from the results of measurements performed by one 
of the end-users on quantum particles that have propagated 
through an insecure channel. This is the case, for instance, 
of the famous Bennett-Brassard-84 Jll] and Ekert {2] proto¬ 
cols, and standard DIQKD protocols, such as those intro¬ 
duced in 00 Notice however that not every QKD protocol 
is of this form, a paradigmatic example being measurement- 
device-independent QKD ESI. 

In this work, we consider the above scenario and there¬ 
fore focus on an end-user in a cryptographic protocol who 
performs measurements on some quantum systems received 
through an insecure channel. We introduce an attack by an 
eavesdropper who is able to control the detection efficiency 
of the measurements - a natural assumption in the adversary 
model of cryptographic protocols based on untrusted mea¬ 
surements, such as 1SDI, SDI, and DI protocols. The attack 
also applies to standard prepare-and-measure protocols if one 
cannot guarantee that the eavesdropper is unable to tune the 
detection efficiencies. In fact recent hacking attacks on stan¬ 
dard QKD protocols have exploited the ability to manipulate 
detection efficiencies 0], Our attack defines detection effi¬ 
ciencies necessary for secure quantum key distribution using 
the previous protocols. We then discuss how our attack can 
also be applied to schemes for randomness generation. From 
a practical point of view, our results imply that the implemen¬ 
tation of partly DI protocols are, in terms of detection effi¬ 
ciency, almost as demanding as fully DI ones. Moreover, our 
attack has also implications from a fundamental point of view: 
as also observed independently in EE, it implies the exis¬ 
tence of a very weak form of intrinsic randomness in which an 
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eavesdropper limited only by the no-signalling principle |fl7jl 
cannot a priori fix the outputs of the measurements in a Bell 
test, but she can later find out the result of any implemented 
measurement. In analogy with results in thermodynamics and 
entanglement theory lfl 8 h we name this effect bound random¬ 
ness. 


I. THE ATTACK 

The considered scenario consists of a party, say Bob, 
who measures quantum systems received through an insecure 
channel. The received systems may have been prepared by 
another honest party, say Alice, or by an untrusted source. 
In particular, they may be entangled with other quantum sys¬ 
tems. Bob performs on them one of Mb possible measure¬ 
ments with D possible outcomes. We label the measurement 
choice and result by y = 1,..., Mb and b = 1,..., D re¬ 
spectively. In the absence of loss, let Bob’s device give the 
outcome b with probability Q(b\y, p), where p is the state of 
the system received by Bob and which may be correlated with 
classical or quantum variables of other parties in the protocol. 
For simplicity in the notation, we omit p in what follows, as 
our results are independent of it. 

In a realistic implementation with losses and inefficient de¬ 
tectors, each measurement of Bob will have a detection ef¬ 
ficiency T] y , and one more outcome is observed, correspond¬ 
ing to the no-click events which we denote by 6 = 0. That 
different measurements may have different efficiencies natu¬ 
rally arises in certain situations, e.g. in 0. In such a situa¬ 
tion, Bob’s device then produces outcomes with probabilities 
P(b\y) = r]yQ(b\y) for b = 1 ,..., D, and P(0|y) = 1 - 

We exhibit here below a simple attack which allows Eve 
to learn the output of any subset G G {1,Mb} of Bob’s 
measurements. This attack does not modify any of Bob’s out¬ 
come probabilities, i.e., it reproduces the full lossy behavior 
of Bob’s device. In particular, we stress that it does not rely 
on Bob performing any kind of post-selection. The attack re¬ 
quires that Eve is able to tune arbitrarily the detection effi¬ 
ciency of Bob’s detectors depending on the implemented mea¬ 
surement and works as long as Bob’s observed detector effi¬ 
ciencies satisfy J2 y eG — 1 v'* where rf = max y ^ G r] y 

is the maximum detection efficiency over the set of measure¬ 
ments complementary to G, i.e., those that Eve is not inter¬ 
ested in guessing. (If this complementary set of measurements 
is empty, i.e. when Eve wants to guess the output of all of 
Bob’s measurement, we define rf = 0). 

In the simple case where all detectors have the same effi¬ 
ciency r/y = 77 , the attack works whenever 77 < 1 /(|G| + 1 ) if 
|G| < Mb or when 77 < 1/Mb if |G| = Mb- In particular, 
when Eve is interested in guessing a single one of Bob’s mea¬ 
surements, say y, then |G| = 1 and the attack works as long as 
77 < 1/2. Furthermore, if the detectors are not all equally effi¬ 
cient, Eve can use the inefficiency of the measurements y ^ y 
that she is not interested in to raise the critical efficiency of 
the measurement y that she wants to guess above y y = 1 / 2 , 
as long as y y < 1 — max y ^y y y . 

Let us now explain how the attack works. Eve randomly 


selects with probability y y one of the measurement y G G 
whose outcomes she wants to guess and with probability 
1 — Yh y eG ‘dv s ^ e does not se l ect an y particular measurement. 
Depending on her choice, she then applies one of the two fol¬ 
lowing strategies. 

(i) If she picked measurements y G G, she performs this mea¬ 
surement on the incoming state. She obtains outcome b with 
probability Q(b\y), she reads the outcome, and forwards the 
corresponding reduced state to Bob. On Bob’s side, she forces 
Bob’s detector to click if he performs measurement y = y, in 
which case he obtains the same outcome b. If otherwise y ^ y, 
she instructs Bob’s device not to click, i.e., to output 6 = 0. 

(ii) If she didn’t select any particular measurement, she di¬ 
rectly forwards the state to Bob without intervention. How¬ 
ever, she instructs Bob’s device not to click (6 = 0) if y £ G. 
If on the other hand y ^ G, she allows his detector to click 
with probability r y . Bob then obtains a proper result 6 with 
probability r y Q(b\y) and a no-click result with probability 

1 — Ty. 

Obviously, Eve can always correctly guess Bob’s output 
when y G G since when Bob’s measuring device clicks, it al¬ 
ways coincides with Eve’s previous measurement result, and 
she always knows when his detector does not click (gives out¬ 
come 6 = 0). Moreover, defining the t v such that 77 ^ = (1 — 
J2 y eG r ly) T y f° r V ^ G, it is straightforward that the strategy 
yields the overall outcome probabilities P(b\y) = y y Q(b\y) if 
6^0 and P(0|y) = 1— r] y , which correspond to lossy devices 
characterized by detection efficiencies r} y . The only require¬ 
ment for the T y s to be well-defined is that X^ y eG Vy — ^ ~ r l'-> 
where 77 ' = max 9 ^g rj y . 

A. Application to QKD protocols 

The above attack applies to any cryptographic protocol in 
which the key is constructed from the results of measurements 
performed by one of the end-users on quantum particles re¬ 
ceived through an insecure channel. It thus applies to any Bell 
based DI protocol, but also to SDI approaches where the di¬ 
mension is fixed, protocols based on steering, or prepare-and- 
measure protocols, unless the eavesdropper cannot tune Bob’s 
detection efficiencies. In fact, in many of these protocols, the 
key is constructed from a single measurement, which means 
that in the best case scenario (that of equal detection efficien¬ 
cies) they become insecure at 77 = 1/2. It is important to 
notice that the obtained critical detection efficiencies apply to 
any scenario, independently of the number of measurements 
Mb, outputs D, or the role of other parties in the protocol. 

By using many measurements for the key generation, one 
increases the number of measurements that Eve needs to guess 
and the critical detection efficiency for our attack decreases. 
However, this solution is demanding from Alice’s and Bob’s 
point of view as many more symbols are sacrificed after basis 
reconciliation, and also more statistics needs to be collected 
to have a proper estimation of the protocol parameters. In fact 
the advantage of using more measurements is limited when 
considering two distant parties connected by a lossy chan¬ 
nel. Take for instance a rather idealised situation in which all 
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losses come from the channel, denoted by rjc and are equal to 

— ccL 

rjc = 10 10 where L is the distance in km. Then, the im¬ 
provement in distance with the number of bases is only loga¬ 
rithmic. For instance, assuming a typical value for the losses 
of a of the order of 0.2 dB/km, one has that in order to com¬ 
pensate for the channel losses at 100 km Alice and Bob need 
to employ 100 bases. 

A possible solution to overcome channel losses is to use 
heralded schemes [20, |2lh or quantum repeaters based on en¬ 
tanglement swapping 12211 . Using such schemes, which are 
technologically more demanding, the only relevant losses for 
security are those on the honest parties’ labs. Alice and Bob 
can then decide which cryptographic solution to adopt, from 
standard to fully device-independent, depending on the ob¬ 
served detection inefficiencies and the plausibility of the as¬ 
sumptions needed for security. 

Our attack also applies to randomness generation schemes 
based on correlations between measurements on two different 
devices. In these schemes, randomness is certified by the ob¬ 
served quantumness of the correlations, certified for instance 
by means of steering ll23l l24h or Bell inequalities ll25i l26ll . 
As the particles come from a untrusted source, one cannot 
exclude that the attack has been implemented on each of the 
particles sent to the untrusted parties in the protocol (one in 
the case of steering and two for Bell-based schemes). 

In the case of Bell-based protocols, for instance, it is pos¬ 
sible to guess the result of one measurement on each device 
when their detection efficiency is 1/2. Note that in the con¬ 
text of randomness expansion, it is usually the case that one 
of the possible combinations of measurements is implemented 
most of the time, as this requires much less initial randomness 
to run the Bell test [26]. For all these protocols, randomness 
expansion is lost when the critical detection efficiency is 1 / 2 . 


B. Improved attacks 

The previous attack applies to many cryptographic scenar¬ 
ios because it is independent of the number of measurements, 
outputs and actions by other parties. Improvements however 
may be expected for concrete protocols. For instance, we 
show in what follows how for two untrusted measuring de¬ 
vices, Eve can improve the attack by exploiting the detection 
efficiency of the second party too. Note though that the at¬ 
tack needs more operations from Eve’s side on the untrusted 
devices than just varying the detection efficiency of the im¬ 
plemented measurements. This improved attack is inspired by 
the local models exploiting detection inefficiencies introduced 
in HI. 

We thus consider a second party in the protocol, Alice, 
who performs Ma measurements of D outputs. Her mea¬ 
surement choice and result are labeled by x and a. Again, 
in the presence of loss, the output probability distribution has 
one more result because of the no-click events and is of the 
form P(ab\xy) = rj 2 Q(ab\xy), P(%\xy) = rj(l — y)Q(b\y), 
P(a$\xy) = r/(l — r])Q(a\x), P(00|xt/) = (1 — 77 ) 2 , where 
the detection efficiencies have for simplicity all been taken to 
be equal to 77 . 


In the improved attack. Eve’s goal is again to guess G mea¬ 
surements on Bob’s side. With probability q Eve uses the pre¬ 
vious attack and does nothing on Alice’s side. With prob¬ 
ability 1 — q the attack works in the reverse direction: Eve 
fixes the output of one of Alice’s measurements (even though 
she is still guessing Bob’s result). That is, she picks one of 
Alice’s measurements, say x, with probability 1 /Ma, and de¬ 
cides an output for this measurement following the quantum 
probability Q(a\x). If Alice happens to implement measure¬ 
ment x she will obtain this outcome, otherwise she observes 
a no-click. On Bob’s side. Eve computes the reduced state 
corresponding to Alice’s result and, for each measurement by 
Bob, selects one possible outcome following the probability 
Q(b\y,ax ) predicted by this state. This defines Bob’s result, 
whose detector always clicks. The intuition behind the at¬ 
tack is that for those cases in which Eve fixes Alice’s result, 
she can allow any measurement on Bob to give a result, as 
Alice effectively implements one single measurement and a 
hidden-variable model is enough to describe the observed cor¬ 
relations. 

So far the model never gives two no-click events, which 
does not correspond to the expected behavior of actual lossy 
devices. To correct this, with probability r, Eve runs the above 
protocol and with probability 1 —r, she instructs both detectors 
not to click. We finally get 

P{ab\xy) = r Q(ab\xy) 

P(a$\xy) = rq(l - J Q(a\x) 

P(tyb\xy) = r(l - g) ^1 - Q{b\y) 

P{W\xy) = 1 - r = (1 - r/) 2 , 


where |G|' = |G| + 1 when |G| < Mb and |G|' = |G| when 
|G| = Mb, as in the previous attack. Tuning the parameters 
so that the above probabilities correspond to those of lossy 
devices with equal efficiencies 77 , one finds 


|G|' + Ma — 2 
V = \G\'Ma — 1 


( 2 ) 


It is easy to see that this attack improves over the previous one, 
as the corresponding critical detection efficiency is always 
larger than 1/|G|'. For example, in the simplest case where 
Alice performs 3 measurements. Bob performs two, and Eve 
guesses a single outcome, ( Ma,Mb , |G|) = (3,2, 1 ), 77 = 
3/5, increasing the critical efficiency by a further 10%. In the 
opposite limit, when —>• 00,77 —> 1/|G|', showing that the 

advantage of attacking Alice’s measurements decreases with 
the number of measurements she performs. 


II. BOUND RANDOMNESS 


Our results are not only limited to practical aspects of cryp¬ 
tographic protocol implementations, but also have implica¬ 
tions from a more fundamental poin t of view. Indeed, they im¬ 
ply the existence (see also II15111611 1 of non-local correlations 




4 


with a very weak form of randomness in which an eavesdrop¬ 
per (i) cannot obviously fix the results of all measurements in 
advance but (ii) can later predict with certainty the outcome 
of any measurement. As mentioned, we dub this effect bound 
randomness. Our last result is to show the existence of bound 
randomness in the case of eavesdroppers limited only by the 
no-signalling principle 0 . 

The construction of bound randomness relies on a couple of 
simple observations. First, in a randomness scenario consist¬ 
ing of two untrusted devices with uniform detection efficiency 
77 = 1 / 2 , our (primary) attack can be applied to both parties, 
so that the eavesdropper learns the result of one measurement 
each for Alice and Bob, x and y. Let e = (e a , eb) be Eve’s 
prediction for Alice and Bob’s outcomes for measurements x 
and y. This variable can take (D + l) 2 possible values cor¬ 
responding to the ideal D-valued measurement outcomes plus 
the no-detection event. Eve obtains outcome e with a certain 
probability Pxy(e) and given e, her attack defines a joint prob¬ 
ability Pxy (ab\xy, e) for Alice and Bob. Since the attack does 
not change the expected probabilities P(ab\xy) from Alice 
and Bob’s perspective, we have that 

^ Pxy(abe\xy) = P(ab\xy), (3) 

e 

where we have defined the tripartite conditional probabil¬ 
ity distribution Pxy(abe\xy) = P S yifi)Pxy(ab\xy, e). Now, 
the MaMb different attacks defined by each combination of 
measurement settings 2 = (x, y) can be combined into a sin¬ 
gle tripartite conditional probability distribution 

P{abe\xyz) = P z (abe\xy) (4) 

by adding an input z on Eve’s, where z defines the combina¬ 
tion of settings Eve wants to predict. It is easily verified that 
this tripartite distribution is no-signalling, see also [28], and 
thus represents a valid attack by a no-signalling eavesdrop¬ 
per. By choosing her input z. Eve can steer the ensemble of 
non-signalling correlations prepared between Alice and Bob. 
Thus, she can choose a posteriori the attack that allows her to 
predict the result of any given pair z of implemented measure¬ 
ments. The effect is similar to what happens in the quantum 
case when predicting the result of non-commuting variables 
on half of a maximally entangled state. 

Note now that there exist correlations that are non-local - 
hence whose outcomes cannot all be fixed in advance - even 
when the detection efficiency is smaller than 1/2 - hence 
whose outcomes can all be perfectly guessed by Eve a pos¬ 
teriori using the above construction. Examples of such corre¬ 
lations were given in |29|], where it was shown that the critical 
detection efficiency required to close the detection loophole 
decreases exponentially with the dimension of the measured 
quantum state in a scenario in which the number of measure¬ 
ments by Alice and Bob is exponentially large. More gen¬ 
erally, any non-local correlations obtained for detection effi¬ 
ciencies ry < 1/2 constitute examples of bound randomness. 
Finally, it can be explicitly checked that both the all-versus 


nothing example of [[30] and the Peres-Mermin magic square 
0 exhibit bound randomness |;32h. 

m. CONCLUSIONS 

We have provided a simple and general detection attack that 
allows an eavesdropper to guess some of (or all) the mea¬ 
surement results in a cryptographic protocol. It applies ba¬ 
sically to any protocol with untrusted detectors in which she 
is able to tune the detection efficiency of untrusted devices. 
Obviously our attack cannot be applied to protocols in which 
the key is not constructed from measurement results, such as 
in measurement-device-independent schemes UHtHI]. These 
protocols, almost by definition, are only sensitive to attacks 
on the devices that prepare the quantum states. The generality 
of our attack also implies that the implementation of partly DI 
solutions is, from the point of view of detection efficiency, al¬ 
most as demanding as DI ones, which, in turn, offer stronger 
security. 

Interestingly, the critical detection efficiency corresponding 
to our attack only depends on the number of measurements 
that Eve wants to learn, but is independent of the total number 
of measurements Mb, number of outputs D, or dimension of 
the quantum systems used. 

We have also presented an improved attack that applies to 
protocols with two untrusted detectors. In this attack, the 
eavesdropper exploits the detection inefficiencies of one of the 
parties to improve her attack on the other party. More gener¬ 
ally, it would be interesting to derive a formalism to study the 
robustness of concrete protocols to detection attacks, as these 
are the most advanced at the moment. This will allow us to 
understand for which protocols the detection bounds for secu¬ 
rity derived here are tight. An analysis of the tightness of our 
attack in steering scenarios will be presented in ll24ll . 

Finally, our results imply also the existence of a bound ran¬ 
domness, an intriguing and weak form of certified random¬ 
ness. In a scenario in which an eavesdropper is limited only by 
the no-signalling principle, there exist non-local correlations 
for which she can find out a posteriori the results of any imple¬ 
mented measurements. A final open question is to understand 
if this form of randomness exists in the quantum case, that is, 
when the eavesdropper is limited by the quantum formalism. 
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